[Catalyst] Where to add access control? Override execute() or dispatch()?

Tomas Doran bobtfish at bobtfish.net
Wed Sep 2 17:42:55 GMT 2009

On 30 Aug 2009, at 21:17, Bill Moseley wrote:
> I'm trying to decide if this is the best approach, or if would be
> better to test the ACL before dispatching.  The issue is if the
> request is for /foo/bar, and an ACL rule blocks that, should
> Foo::(begin|end|auto) still run?  Or should it act as if the /foo/bar
> action doesn't exist and not run any begin, auto, or end in the Foo
> controller?

I think that either would be a valid design decision.

I don't think that entirely shortcutting dispatch gives you as much  
flexibility, and I tend to do the 'hard' part of the hit in the  
terminus action anyway, so running the begin action isn't a big deal  
for me.

I personally prefer it to be done on a per-action basis, as I _want_  
begin / end / auto to run even in the case where the action itself is  
denied (as this gives you the chance to 'whitelist' the action given  
special conditions for one example, or to use the end action to  
serialize an 'access denied' REST response back in a site with an API  
for another example).


More information about the Catalyst mailing list